Security Incidents mailing list archives
Re: Probable Trojan.
From: Harlan Carvey <keydet89 () yahoo com>
Date: Tue, 28 Oct 2003 11:17:09 -0800 (PST)
For checking startup locations, I'd recommend AutoRuns from SysInternals and AutoStart Viewer from DiamondCS. --- Brian Eckman <eckman () umn edu> wrote:
Gene wrote:Have a buddy complaining about his AOL accountpassword being stolen every time he logs onto AOL from his PC at work. I talked him through doing an fport on his box and he sent me the results: <snip> I wouldn't worry about services listening on the machine as much as what is running at startup. A keylogger or other password stealer has no need to listen on a port. It would more likely phone home as needed. Based on your FPort results, I assume it's Windows 2000, which doesn't ship with MSCONFIG.EXE. I'd personally grab a copy of MSCONFIG.EXE from a Windows XP box and run it on the machine to get a quick glance at most places that malware run from to load when Windows starts up. (Disclaimer: I have a site license for Windows upgrades and therefore what I propose above should be legal in my workplace. Your mileage may vary.) I know, I know, MSCONFIG doesn't show every piece of code that launches at startup, and you can manually go to each location it checks to see what is running. It's just a really quick way to check the usual suspects... Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota 612-626-7737 "There are 10 types of people in this world. Those who understand binary and those who don't."
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------
--------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_incidents_031023 and use priority code SF4. ----------------------------------------------------------------------------
Current thread:
- Probable Trojan. Gene (Oct 28)
- Re: Probable Trojan. Brian Eckman (Oct 28)
- Re: Probable Trojan. Harlan Carvey (Oct 28)
- RE: Probable Trojan. Mark E. Donaldson (Oct 28)
- RE: Probable Trojan. Jim Butterworth (Oct 29)
- <Possible follow-ups>
- RE: Probable Trojan. Thompson, Jimi (Oct 28)
- Re: Probable Trojan. debrasuz (Oct 28)
- Re: Probable Trojan. Brian Eckman (Oct 28)